How Can I Tell Which Switches Were Used When Starting an Executable File?

ScriptingGuy1

Hey, Scripting Guy! Question

Hey, Scripting Guy! Is there any way to tell which command-line arguments (if any) were used when starting an executable file?

— TO

SpacerHey, Scripting Guy! AnswerScript Center

Hey, TO. We don’t mean to cause a scandal in the scripting world – well, OK, we don’t mean to cause any more scandals in the scripting world. But – gasp! – we’re going to cheat a little bit here. This is the first time we’ve ever been asked this question, and yet, to answer it, we’re going to recycle an answer to a different question we were asked a few months ago.

So here goes: as long as you’re running Windows XP or Windows Server 2003, then, yes, it’s very easy to tell which command-line arguments (if any) were used when starting an executable file. That’s because in these two versions of Windows (but not in previous versions), the WMI class Win32_Process includes a property named CommandLine that provides the complete command line (including switches) used to start an executable file.

For example, suppose Netstat.exe is running on a computer, and you want to know which command-line switches were used to start the program. Here’s a script that can tell you that:

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”) Set colItems = objWMIService.ExecQuery _ (“Select * From Win32_Process Where Name = ‘netstat.exe'”)

For Each objItem in colItems Wscript.Echo objItem.CommandLine Next

As you can see, a pretty simple little script: we return a collection of all the processes that have the name Netstat.exe, and then we echo the CommandLine property for each one. Suppose we started Netstat using this command: netstat.exe -a 30. In that case, here’s what our script would report for the CommandLine property:

netstat.exe -a 30

Just what you hoped it would report.

The interesting thing about the CommandLine property is that it will often give you useful information even if you never touch the command line. For example, suppose you have a script named C:\Scripts\Inventory.vbs, and suppose you right-click the file in My Computer and choose Edit. That will open the script up in Notepad (assuming Notepad is your default script editor). And here’s the CommandLine property for that instance of Notepad:

C:\WINDOWS\System32\Notepad.exe C:\scripts\inventory.vbs

In other words, not only do we know that Notepad is open, but we know which file (inventory.vbs) is open. This same approach will work will a number of different applications although, for some reason, it doesn’t work with Microsoft Word or Excel. (Interestingly enough, though, it will with PowerPoint.) With Word and Excel applications, you get the CommandLine for starting the program, but no indication as to what document is open. Instead, you get back a generic command-line string like this:

“C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE” /e

A mystery we’ll have to investigate some other time.

By the way, if the suspense is killing you, we used this same answer (the CommandLine property of the Win32_Process class) in response to this question: How can I tell which scripts are running on a computer? To do that, you look at the CommandLine property for any Wscript.exe and CScript.exe processes; the CommandLine will include the name of the script being run under one of those script hosts. Or, to put it programmatically:

strComputer = “.”

Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\cimv2”) Set colItems = objWMIService.ExecQuery _ (“Select * From Win32_Process Where Name = ‘wscript.exe’ OR Name = ‘cscript.exe’”)

For Each objItem in colItems Wscript.Echo objItem.CommandLine Next

0 comments

Discussion is closed.

Feedback usabilla icon